FTC Staff Report on Internet of Things: Recommends Self-Regulation “Best Practices,” But Leaves Key Issues Unresolved
The Federal Trade Commission released its much anticipated staff report on January 27 regarding consumer privacy and data security concerns arising from the emerging market for connected devices known as the Internet of Things (“IoT”). Titled “The Internet of Things: Privacy and Security in a Connected World,” the FTC’s report (the “Report”) builds on the FTC’s November 2013 IoT Workshop and focuses on issues arising from the estimated 25 billion consumer-facing IoT devices expected to be connected by the end of this year. The Report presents the FTC staff’s recommendations and best practices for enhancing privacy and security in the consumer IoT space, but does not resolve some of the most significant issues presented by this emerging sector, including how to reconcile the growing tension between Fair Information Practice Principles or “FIPPs” — such as notice, choice and data minimization – with technology that often lacks screens for notice and contains sensors designed to collect multiple streams of data at all times.
Significantly, the Report recognizes that the IoT is in its infancy and that any IoT-specific legislation at this time would be premature. Instead, the staff used the occasion to again call for Congress to enact both general data security legislation with a national breach standard, as well as baseline privacy legislation that would include mandatory privacy disclosures and offers consumers choices concerning how their data is collected and used.
In the absence of such legislation, the Report recommends the adoption of certain best practices without offering specific solutions for the myriad of privacy and security issues presented by the proliferation of connected devices. The ambiguity surrounding the recommendations and their ultimate effectiveness, coupled with the likelihood of additional enforcement actions in 2015, presents certain risks for entities operating in the IoT.
Recommended Best Practices: Security, Data Minimization, and Notice and Choice
The Report presents best practice recommendations regarding the FIPPs that were the main focus of the FTC’s 2013 IoT Workshop: security, data minimization, notice, and choice.
Security & Data Minimization
The Report concludes that IoT companies should employ security measures for a given device that reflect the context and use of the data derived from such a device, with more robust security measures appropriate for more sensitive devices or devices that collect sensitive information. Entities operating in the IoT environment are encouraged to adopt six best practices, all of which have been reflected in recent FTC enforcement actions and resulting consent decrees involving IoT technology:
- Companies should integrate “security by design” into their practice by implementing security measures at every stage of a product’s development. They should incorporate privacy or security risk assessments, require users to change default passwords during set-up, minimize what data is collected and retained, and test security measures before products are launched to help identify and close vulnerabilities.
- Companies should train employees on “good” security practices.
- Companies should only use outside service providers that are able to maintain reasonable security of consumers’ data, and they must oversee the providers’ work. The FTC staff noted that failure to oversee providers that do not implement effective security measures could result in enforcement actions against the hiring company itself.
- Companies that have systems at significant risk should employ “defense-in-depth,” where security is considered at multiple levels and additional measures such as data encryption are used to secure information.
- Companies should implement reasonable access control measures, such as strong authentication systems, to limit unauthorized access to consumers’ devices, data, or networks. However, the Report cautions that such control measures should not “unduly impede the usability of the device.”
- Companies should continue to monitor products throughout their life cycle, issue patches to fix vulnerabilities whenever feasible, and be transparent with customers about the availability of ongoing security updates and software patches.
The Report also urges companies to practice data minimization – a long-standing privacy principle where companies impose reasonable limits on the collection and retention/disposal of consumer data. However, recognizing that data minimization in the IoT ecosystem is challenging, the Report recommends a “flexible” approach to data minimization, such that companies can tailor their data retention needs by: collecting no data; collecting data limited to the categories required to provide the service offered by the device; collecting less sensitive data; or choosing to de-identify the data collected. The Report did not squarely address the fact that continuous data feeds are a critical element to many connected devices operating in the IoT ecosystem, thereby making many of staff’s recommendations impractical.
Notice and Choice
The Report re-emphasizes that providing consumers with effective notice and choice remains an important construct, while recognizing that it can be especially challenging in the IoT ecosystem, particularly given the ubiquity of devices (expected to reach 50 billion by 2020), the pervasive nature of the data collected, and the challenge presented when there is no customer interface on devices. As such, the Report proposes to incorporate certain elements of a use-based model, where choice is tied to the context of the interaction with the connected device. The Report concludes that notice to consumers is essential in order to allow them to make meaningful choices, and companies can find innovative and alternative methods, such as giving notice through tutorials or providing choices at the point of sale or during device set-up.
Ultimately, however, the Report notes that there are limitations arising from a pure use-based model. For example, it is unclear who would decide which uses are beneficial or harmful and how that determination should be made. Further, the use-based model does not take into account concerns about the collection of sensitive information and it, alone, is incapable of addressing the risks created by expansive data collection and retention.
Potential Enforcement Actions
Notwithstanding the lack of ambiguity surrounding some of the key issues raised by this emerging technology, the Report declares that the FTC will continue its regulatory enforcement in the IoT space, and that the FTC’s staff will continue to recommend enforcement actions against companies are in violation of any applicable laws enforced by the FTC. Specifically, the Report notes that “[the] staff believes that a strong FTC law enforcement presence will help incentivize appropriate privacy and security practices.”
Unfortunately, the Report provides no clear standards for those situations where the FTC will view enforcement as necessary or appropriate. And while numerous prior FTC consent decrees may provide some guidance on the Commission’s views of “reasonable” data security practices, it is still unclear how it may address some of the new issues raised in the Report, especially data minimization. This lack of clarity is a concern, particularly following FTC Consumer Protection Director Jessica Rich’s recent statements that policing the IoT is a top concern for the agency, which is likely to bring more IoT-related cases in the near future. As the Report suggests, without new legislation, the FTC’s enforcement actions in the IoT arena will continue to be limited to deception and unfairness under its Section 5 authority.
Companies operating in the IoT sector may view the FTC staff’s Report as, at best, an incremental step forward that leaves lingering questions surrounding the important (and fundamental) issues of notice, choice and data minimization largely unresolved. Moreover, with the prospect of increased enforcement, the Report’s lack of clear standards requires companies to move forward without solid guidance from the FTC concerning how best to protect privacy and secure data in this new environment.
In the absence of such guidance, companies operating in this space should take steps to minimize the likelihood of enforcement actions under the FTC’s present authority by ensuring a culture that values consumer privacy and secures consumer data. This starts with privacy and security at the design stage and continues throughout a product’s lifecycle. It is reinforced through regular training, monitoring and auditing as part of a company’s privacy and information security programs. Companies operating in a privacy-focused culture should also make certain their notices and practices are clear and appropriate for the type and scope of information collected and used. Finally, consider whether any data minimization could be practically implemented without harming the functionality of devices and if not, whether some level of de-identification is a viable alternative to reduce risk of compromise and protect consumer privacy.